4 Warning Signs of an Insecure App
The “golden age of digital transformation” is upon us, and companies around the globe are scurrying to meet consumers on the digital frontier. For developers, it is a virtual gold rush, as businesses overhaul their infrastructure to meet consumers where they are—their mobile phones. For most, this means developing a mobile app.
Unfortunately, the byproduct of the scramble to build a mobile app is that essential features are often overlooked or omitted entirely. There are many things that can be missed when creating an app (like network tolerance and accessibility)–but confoundingly, the feature that’s most often forgotten is the most important: app security.
Data use and privacy are top-of-mind for users. It is vital that software developers don’t cut corners when it comes to securing a mobile app. A secure app should pass the coffee table test: Would I be comfortable going to the bathroom and leaving my phone on a public coffee table?
It’s no secret that app security is a hot topic, but what are the actual warning signs of an insecure app?
1. Insufficient Authentication
How would you feel if your banking app didn’t take the time to ensure that you … were you? Authentication security measures are a critical feature of a mobile app–and it’s a major red flag if they are incomplete or missing. Password leaks happen, and the best way to prevent unauthorized access to is to include additional verification via text, calls, emails, code or by issuing email notifications when such actions occur, a process known as multifactor authentication (MFA).
It’s recommended that mobile apps have MFA, or at a minimum, two-factor authentication, which requires two separate forms of identification before granting users access. Common examples include a one-time code texted to the user’s smartphone, or biometric screenings that scan a user’s face, fingerprint or retina to validate identity.
A lack of strong authentication tools should be a clear warning sign that an app is unsafe, especially if it stores or accesses valuable data like bank accounts or social security numbers.
2. Outdated Stack
Another warning sign of an insecure app is an outdated stack. A mobile app is only as good as the technology that powers it, and failure to update, modernize, and maintain that technology is a harbinger of major security issues. This is hard for the app user to detect—it’s usually revealed by a technology audit—because the technology stack spans all the way from the phone itself to the server or cloud back end.
Indicators of an outdated tech stack include constant bugs, inability to integrate with new tools and tech, failure to scale or weird user interface glitches that increase in frequency over time.
An outdated, irrelevant stack renders a mobile app vulnerable to cybersecurity threats. Security tech advances at a fast pace, but so does the malware and spam that threatens to infiltrate it.
The easiest way to fix this is to undergo yearly third-party mobile app code audits to ensure security.
3. Information Bleed
Unmasked inputs, notifications and resume screens are examples of information bleeds, all of which stem from app logic failures. Logic failures or logic flaws are lesser-known app security issues, but are critical, nonetheless. A logic flaw occurs when an app fails to behave as expected and makes itself susceptible to attack.
There are a few warning signs of flawed logic–like showing users more information than they need to see at a given time.
Unmasked input is an indicator of flawed UX issues and a major security risk. For instance, health care apps most likely have users’ social security numbers on file, but there’s almost never a reason to display the full number on-screen. With a flawed UX, the healthcare app could dangerously display all nine digits at once, as opposed to the customary final four. With sensitive user data on-screen, both innocent passers-by and nefarious snoopers can gain access to private information.
Notifications like text messages or app notifications that show on the screen of a mobile phone can also leave a user susceptible. It’s crucial that these messages don’t contain sensitive information that could let an observer next to the phone gain some knowledge about the user.
The truth is that flawed logic should be identified in the development stages as software developers look to stress-test their own app for weaknesses.
4. Sending or Receiving Sensitive Data
In this case, the problem lies not in displaying too much information, but in transmitting too much information and storing some of it in places that can be easily inspected (browser) or accessed (disk). Any time data is transmitted between the back-end database and the end user, it’s at risk of being intercepted.
For example, a mobile app accessing data via Firebase may request complete documents be retrieved, when only a small subset was needed. The app could be, for performance reasons, caching some data on the disk. This type of practice needs to be carefully revisited.
If a user requests a single piece of data, that one piece is all that should be transmitted from the database. Imagine ordering one thing on Amazon, except what arrives on your doorstep isn’t just that one thing—it’s every item you’ve ever ordered. It’s completely unnecessary and potentially catastrophic.
Apps need to be frugal with their network use, so only the relevant information is retrieved or exchanged and that data’s persistence is kept to a minimum, secured or anonymized.
The good news is that all of these warning signs are fixable and should be detected early by a capable software developer. An insecure app is a nightmare scenario that will be exploited by hackers and scammers. Failure to protect customer data could cost a business more than just money–it could cost its reputation.
As the app building gold rush is in full swing, remember to take the time to develop a quality, secure product that will best serve users. Those who skip this step in favor of speed may be left with fool’s gold.
